Re: Absolute Sownage (A concise history of recent Sony hacks)

[mrx <mrx () propergander org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/06/2011 01:04, Nick FitzGerald wrote:
> mrx wrote,
>
> > I am a little frightened that my web app will be owned and user
> > credentials exposed.  ...
>
> Keep that attitude when you are no longer a "noob" web-app developer 
> and the world will be a better place.
>
> There are far too many "hack" web coders out there, and the evidence 
> suggests that Sony employs quite a few of them...
>
> > ...  I have read much on SQL injection, XSS, remote
> > execution, session hijacking etc. I only think I have all bases
> > covered, I am not 100% sure. Is there a definitive text/book/white
> > paper on such matters and if so could someone please let me know
> > where I can find this? 
>
> I'm not a web-app expert at all -- I live and work in a niche 
> necessitated by the appalling condition that is "web security" in 
> general  (I'm a malware analyst who spends much of my time looking at 
> the stuff the bad guys who break poorly configured servers, poorly 
> configured and/or written web-apps, etc, etc put on those compromised 
> machines to wreak havoc further down the food chain) -- but if you're a 
> web-app developer and do not know about OWASP or what the OWASP "Top 
> 10" is, you're probably a shockingly bad web-app developer (but 
> probably well able to get plenty of work at the likes of Sony).
>
>
>
> Regards,
>
> Nick FitzGerald

Hi Nick

Yes I am on the OWASP mailing list, unfortunately the nearest branch meetings are quite a few miles away so I haven't 
managed to get to one yet.

I did the top 10 and hopefully with my limited experience and knowledge in this field have covered them all.

I would like someone smarter than me, which is probably most who read this list to try and hack my app.

I have done malware research too, played with reversing, captured stuff in a Honeypot, monitored flow through a 
Honeywall. I know a bit about a
lot of things but not a lot about any one thing in particular. I am pretty pleased with the fact that the last time I 
had a system infected with
malware, that I didn't infect on purpose, was my Amiga with the Saddam virus. I have always been paranoid ;-) IT isn't 
new to me, but IT
security is.

I need to focus but there is so much that interests me, I can't do it all but that doesn't stop me from trying.

Cheers
Dave


> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


- -- 
Mankind's systems are white sticks tapping walls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTfK4prIvn8UFHWSmAQLTnwgAq/o+S0TLUt8EVOjhEZrO7SQ5yf6EbMMF
ZPl0uhbULht9iwYLRUkYBXXAUXUj58J+EKJUrO/XuImLTrz8bpy2r/bSsB5x4jFB
Faye5SIaQRzZwFC/STihpgGiqiqAl+3Un1C/Fb2Xdgg2bG9yl/SxbtACMUZcg7Sa
HrkwjlVVZyt3Q02JaYT/4JFRcDG3TeogF41KPV5AG1DNdBkXR1kJnRsWCvnO376c
cT4ymOBWdhBYFeQvYI/YzTtTe4QoWkE/q8WYbuUE/vpGY13KA5Qd/JLLIL+oKxAw
xpHkql+iYDpCK3pLD3XeleuZAD1BJojVtpfQ97UiyBoj9P/nbRiHeQ==
=q5So
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/